DDoS alerts
Configure notifications to receive real-time alerts (within ~1 minute) about L3/4 and L7 DDoS attacks on your Internet properties, depending on your plan and services. You can choose from different delivery methods.
Each notification email includes the following information:
- Description
- Detection and mitigation time of attack
- Attack type
- Maximum rate of attack
- Attack target
- Rule that matched the attack (ID and description)
- Rule override, if any
Notifications for HTTP DDoS alerts delivered through webhook or PagerDuty will also include the target hostname.
You will not receive duplicate DDoS alerts within the same one-hour time frame.
Cloudflare automatically sends weekly summaries of detected and mitigated DDoS attacks to Magic Transit and Spectrum BYOIP customers. For more information, refer to DDoS reports.
Set up a notification for DDoS alerts
To set up a notification:
-
Log in to the Cloudflare dashboard and select your account.
-
Select Notifications.
-
Under Notifications, select Add.
-
Select one of the available DDoS alerts (depending on your plan and services):
- HTTP DDoS Attack Alert
- Layer 3/4 DDoS Attack Alert
- Advanced HTTP DDoS Attack Alert
- Advanced Layer 3/4 DDoS Attack Alert
-
Enter a notification name and (optionally) a description.
-
Configure a delivery method for the notification. The available delivery methods depend on your Cloudflare plan. For more information, refer to Cloudflare Notifications.
-
If you are creating a notification for one of the advanced DDoS attack alerts, select Next and define the parameters that will filter the notifications you will receive.
-
Select Save.
Edit an existing notification
To edit, delete, or disable a notification, go to your account notifications.
Alert types
Cloudflare can issue notifications for different types of DDoS attack alerts.
Standard alerts
- HTTP DDoS Attack Alert: Alert for HTTP attacks that generate more than 100 requests per second.
- Layer 3/4 DDoS Attack Alert: Alert for Layer 3/4 attacks that generate more than 20,000 packets per second.
Advanced alerts
Advanced DDoS attack alerts support additional configuration, allowing you to filter the notifications you wish to receive.
-
Advanced HTTP DDoS Attack Alert: Customizable alert for HTTP attacks that generate more than the configured number of requests per second (100 rps by default). Supports the following configuration parameters:
- The zones in your account for which you wish to receive notifications.
- The specific hostnames for which you wish to receive notifications.
- The minimum requests-per-second rate that will trigger the alert (100 rps by default).
-
Advanced Layer 3/4 DDoS Attack Alert: Customizable alert for Layer 3/4 attacks that generate more than the configured number of packets per second (12,000 pps by default). Supports the following configuration parameters:
- The IP prefixes for which you wish to receive notifications.
- The specific IP addresses for which you wish to receive notifications.
- The minimum packets-per-second rate that will trigger the alert (12,000 pps by default).
- The minimum megabits-per-second rate that will trigger the alert.
- The protocols for which you wish to receive notifications (all protocols by default).
You will also receive alerts for rules with a Log action, containing information on what triggered the alert.
Availability
The available alerts depend on your Cloudflare plan and subscribed services:
Alert type | WAF/CDN | Spectrum | Spectrum BYOIP | Magic Transit |
---|---|---|---|---|
HTTP DDoS Attack Alert | Yes | – | – | – |
Advanced HTTP DDoS Attack Alert | Yes1 | – | – | – |
Layer 3/4 DDoS Attack Alert | – | Yes2, 3 | Yes | Yes3 |
Advanced Layer 3/4 DDoS Attack Alert | – | – | Yes2 | Yes2 |
1 Only available to Enterprise customers with the Advanced DDoS Protection subscription.
2 Only available on an Enterprise plan.
3 Refer to Final remarks for additional notes.
Example notification
The following image shows an example notification delivered via email:
To investigate a possibly ongoing attack, select View Dashboard. To go to the rule details in the Cloudflare dashboard, select View Rule.
Final remarks
-
Spectrum and Magic Transit customers using assigned Cloudflare IP addresses will receive layer 3/4 DDoS attack alerts where the attacked target is the Cloudflare IP or prefix. If you have brought your own IP (BYOIP) to Cloudflare Spectrum or Magic Transit, you will see your own IP addresses or prefixes as the attacked target.
-
In some cases, HTTP DDoS attack alerts will reference the attacked zone name instead of the attacked hostname. This occurs when the attack signature does not include information on the attacked hostname because it is not a strong indicator for identifying attack requests. For more information on attack signatures, refer to How DDoS protection works.
-
DDoS alerts are currently only available for DDoS attacks detected and mitigated by the DDoS managed rulesets. Alerts are not yet available for DDoS attacks detected and mitigated by the Advanced TCP Protection system.
-
If you configure more than one alert type for the same kind of attack (for example, both an HTTP DDoS Attack Alert and an Advanced HTTP DDoS Attack Alert) you may get more than one notification when an attack occurs. To avoid receiving duplicate notifications, delete one of the configured alerts.
-
Events listed under Security Events with the
Connection Close
mitigation action are not covered by DDoS alerts. Cloudflare only sends notifications when the mitigation action is one of the following:force-conn-close
,block
,ratelimit
, orcaptcha
.